1 Introduction
Most of the Solutions for "ip address theft" adopt MAC and IP Address binding policies, which is very dangerous. This article will discuss this issue. Here, we need to declare that this article is concerned about the security of MAC and IP Address binding policies, without hacking.
1.1 why do I need to bind a MAC address to an IP address?
There are many factors that affect network security. IP address theft or address spoofing are common and harmful factors. In reality, many network applications are IP-based. For example, traffic statistics and account control all use IP addresses as an important parameter to mark users. If a legitimate address is stolen and disguised as a legitimate user, the data transmitted over the network may be damaged, eavesdropped, or even stolen, causing irreparable losses.
It is difficult to steal the IP address of an external network because vro and other network interconnection devices generally set the IP address range through each port. packets that do not fall within the IP address range cannot pass through these interconnection devices. However, if the IP address of a valid user inside the Ethernet is stolen, this network interconnection device is obviously powerless. If the IP address inside the Ethernet device is stolen, the corresponding solution is also available. Binding MAC addresses and IP addresses is a common, simple, and effective measure to prevent internal IP address theft.
1.2 How MAC and IP address are bound
It is easy to modify the IP address, while the MAC address is stored in the EEPROM of the NIC, And the MAC address of the NIC is uniquely identified. Therefore, in order to prevent internal personnel from using illegal IP addresses (for example, stealing IP addresses of persons with higher permissions to obtain information beyond permissions), you can bind the IP addresses of the internal network to the MAC address, even if the IP address is modified, the hacker fails to steal because the MAC address does not match. In addition, because the MAC address of the NIC is unique and deterministic, the hacker can find the NIC that uses the MAC address based on the MAC address, then the hacker is detected.
Currently, many internal networks, especially Campus Networks, use the MAC address and IP Address binding technology. Many firewalls (hardware firewalls and software firewalls) have built-in MAC address and IP Address binding functions to prevent IP addresses from being stolen.
On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, due to implementation technologies such as protocols at different layers and nic drivers, binding MAC addresses to IP addresses has many drawbacks, it does not really prevent the theft of internal IP addresses.
2. Crack MAC and IP Address binding policies
2.1 Introduction to IP addresses and MAC addresses
The current TCP/IP network is a layer-4 protocol structure, from bottom to top is the link layer, network layer, transport layer and application layer.
The Ethernet protocol is a link layer protocol and the MAC address is used. The MAC address is the hardware identifier of the Ethernet NIC. When the NIC is created, it is stored in the EEPROM of the NIC. The MAC addresses of NICs are different. a mac address can uniquely identify a network card. Each packet transmitted over the Ethernet contains the MAC address of the NIC that sends the packet.
Ethernet identifies the sender and receiver of a packet based on the source MAC address and destination MAC address in the Ethernet packet header. The IP protocol is applied to the network layer and the IP address used is the IP address. The IP protocol is used for communication. Each IP packet header must contain an active IP address and a destination IP address to indicate the sender and acceptor of the IP packet. When the IP protocol is used to transmit packets over Ethernet, the IP packet is used as the data of the Ethernet packet. IP addresses are transparent to Ethernet switches or processors. You can configure one or more IP addresses for the network card as needed. There is no one-to-one relationship between MAC addresses and IP addresses.
The MAC address is stored in the ENI's EEPROM and uniquely identified. However, when the NIC Driver sends an Ethernet packet, it does not read the MAC address from the EEPROM, but creates a cache area in the memory, the source MAC address of the Ethernet packet. In addition, you can modify
The source MAC address in the Ethernet packet. Since the MAC address can be modified, the binding between the MAC address and the IP address will lose its original meaning.
2.2 cracking Solution
Is the structure of the cracking test. Both the internal server and external server provide Web Services, and the firewall binds the MAC address and IP address. If the source MAC address and 1P address pair in the packet cannot match the MAC address and 1P address pair set in the firewall, they will not be able to pass through the firewall. Both host 2 and internal server are valid machines in the internal network; HOST 1 is a new machine added to the experiment. The installed operating system is W2000 Enterprise Edition and the NIC is 3Com.
In the test, the MAC and IP addresses of the NIC in HOST 1 must be modified to the MAC and IP addresses of the stolen device. First, select "network and dial-up connections" in the control panel, select the corresponding Nic, right-click the NIC, and select Properties, click "configuration" on the "General" page of the property page. On the configuration properties page, select "advanced", select "Network Address" in the "properties" column, and select the input box in the "value" column, then, in the input box, the MAC address of the stolen device is modified.
Then, configure the IP address as the IP address of the stolen device. Intranet Client IP address theft: Change the MAC address and IP address of Host 1 to the MAC address and IP address of host 2 respectively. HOST 1 can access the external server and can smoothly use the firewall. The access permission is different from host 2. In addition, host 2 can access the external server normally without being affected by HOST 1. Neither host 2 nor firewall can detect HOST 1. HOST 1: If you access an internal server, you do not need to go through the firewall.
Intranet Server IP address theft: Change the MAC address and U address of host 1 to the MAC address and IP address of the internal server. HOST 1 also provides Web Services. To make the effect more obvious, the Web service content provided on Host 1 is different from that provided by internal servers.
In the actual experiment, HOST 1 and host 2 are connected to the same HUB. The access request of host 2 is always first responded by HOST 1, and host 2 is expected to access the internal server, what you get is always what HOST 1 provides. Generally, if host 2 tries to access the internal server, whether the content provided by host 1 or the content provided by the Internal Server is random depends on who responds to the access request first, in the subsequent analysis, we will further elaborate on this.
Theft of the MAC and IP address of the server may cause greater harm. If the Web content provided by host 1 is the same as that of the internal server, host 2 cannot identify which machine it accesses; if the Web content requires the user account, password, and other information, the information is displayed at a glance for HOST 1.
3. Cause of successful cracking
The experiment above demonstrates that binding a MAC address and an IP address does have many defects and cannot effectively prevent internal IP addresses from being stolen. Next, we will analyze the defect in detail theoretically.
The premise of the defect is that the NIC's hybrid receiving mode can receive all packets transmitted over the network, regardless of whether the target MAC address is the MAC address of the NIC. It is because the NIC supports the hybrid mode that the NIC Driver supports changing the MAC address. Otherwise, even if the MAC address is modified, the NIC cannot receive packets from the corresponding address, the NIC can only be sent and cannot receive messages, and the communication will fail.
The direct cause of MAC address theft is the implementation mechanism of Ethernet packets sent by the NIC Driver. The source MAC address in the Ethernet packet is entered by the driver, but the driver does not read the MAC from the ENI's EEPROM, but creates a MAC address cache in the memory. When the NIC is initialized, the content in the EEPROM is read into the cache area. If you change the content in the cache to the MAC address set by the user, the source address of the outgoing Ethernet packet will be the modified MAC address.
If you only modify the MAC address, it is impossible to achieve address theft. Ethernet is broadcast-based. The Ethernet NIC can listen to all packets transmitted in the LAN, but the NIC only receives Ethernet packets whose destination address matches its MAC address. If two hosts with the same MAC address send access requests respectively, and the response packets of these two access requests are matched for both hosts, the two hosts receive not only the content they need, but also the content for the same MAC host.
It is reasonable to say that after the two hosts receive redundant packets, they should not be able to work normally. Theft will immediately be noticed and the theft will not continue. However, after the address in the experiment is stolen, each device can work normally without interference. What is the reason for this? The answer lies in the protocol used by the upper layer.
Currently, the most common protocol in the network is the TCP/IP protocol. network applications generally run over TCP or UDP. For example, the HTTP protocol used by the Web server in the experiment is based on TCP. In TCP or UDP, it indicates that both parties are not only IP addresses, but also port numbers. In general applications, the port number of the user end is not set in advance, but the protocol is generated according to certain rules and is random. As shown in the preceding example, IE is used to access the Web server. The UDP or TCP port number is a 16-bit binary number. The probability of two 16-bit random numbers being equal is very small. How can this problem be solved if they are equal? Although the MAC address and IP address of the two hosts are the same, but the application port number is different, the received redundant data cannot find the matching port number on the TCP/UDP layer, it is discarded as useless data, and the processing of the TCP/UDP layer is transparent to the user layer. Therefore, users can use the corresponding services "correctly, it is not affected by address theft.
Of course, the user port numbers of some applications may be set by the user or the application itself, rather than being randomly generated by the Protocol. What are the results? For example, if two hosts with the same MAC address and IP address start applications with the same ports, will these two applications not work properly? Actually not all.
If the lower layer uses the UDP protocol, the two applications will interfere with each other and cannot work normally. If the TCP protocol is used, the results will be different. TCP is connection-oriented. To achieve the re-transmission mechanism and ensure correct data transmission, TCP introduces the concept of the message serial number and receiving window. In the above port number matching packets, only the deviations of the serial numbers that belong to the packets in the receiving window will be received. Otherwise, the packets will be discarded as expired packets. The serial number of the packet in TCP protocol is 32 bits. The serial number of the first packet sent by each application is generated in strict accordance with the random principle. In the future, the serial number of each packet is incremented by 1.
The window size is 16 bits, that is, the maximum size of the window can be 216, and the serial number range is 232, the serial number of the TCP data that the host expects to receive is also within the receiving range of the other party. The probability is 1/216, which is small and small. The TCP serial number was originally used to achieve correct transmission of packets, but now it has become an accomplice of address theft.
4. Solution to MAC/IP Address binding cracking
There are many methods to solve MAC and IP Address binding cracking, mainly in the following ways.
Methods for binding vswitch ports, MAC addresses, and IP addresses; methods for proxy service and firewall; methods for user authentication using PPPoE protocol; Methods Based on directory service policies;